-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test/document TLS authentication, then add support for TRUSTED CERTIFICATE pem headers #24733
Conversation
|
||
const { | ||
assert, connect, keys | ||
} = require(fixtures.path('tls-connect')); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this module maybe rather be in test/common/
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know. It predates test/common, AFAICT, but perhaps it should have been moved there when test/common was created? Moving it would be a good code-n-learn activity.
479d168
to
2934a3d
Compare
2934a3d
to
4b48cf9
Compare
3674751
to
61380b3
Compare
While I was doing some support yesterday for people banging their head against node's tls, I found that node wasn't working with "TRUSTED CERATIFICATE", and @bnoordhuis pointed me towards the root cause. I pushed the fix onto this PR so I can use the tests to prove it did not used to work, and now it does.
-CAfile option eventually leads to, so I believe calling PEM_read_bio_X509_AUX() is the right thing for Node.js to do as well.
@addaleax @bnoordhuis PTAL |
Travis failed to find the first commit, as it often does. |
Resume Build CI: https://ci.nodejs.org/job/node-test-pull-request/19129/ |
ca: client.ca, | ||
requestCert: true, | ||
}, | ||
}, function(err, pair, cleanup) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrap in common.mustCall(...)
here and below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The common connect()
function does that already.
The linux failures look unrelated but the windows failures do. As to why the connection is being established when it shouldn't, I have no idea. |
61380b3
to
a75dd8e
Compare
Resume CI (scheduled): https://ci.nodejs.org/job/node-test-pull-request/19190/ |
Windows failures on CI are relevant: 03:11:38 not ok 456 parallel/test-tls-client-auth
03:11:38 ---
03:11:38 duration_ms: 0.239
03:11:38 severity: fail
03:11:38 exitcode: 1
03:11:38 stack: |-
03:11:38 c:\workspace\node-test-binary-windows\test\parallel\test-tls-client-auth.js:152
03:11:38 assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
03:11:38 ^
03:11:38
03:11:38 TypeError: Cannot read property 'code' of undefined
03:11:38 at c:\workspace\node-test-binary-windows\test\parallel\test-tls-client-auth.js:152:26
03:11:38 at c:\workspace\node-test-binary-windows\test\common\index.js:346:15
03:11:38 at maybeCallback (c:\workspace\node-test-binary-windows\test\fixtures\tls-connect.js:97:7)
03:11:38 at TLSSocket.<anonymous> (c:\workspace\node-test-binary-windows\test\fixtures\tls-connect.js:68:13)
03:11:38 at TLSSocket.emit (events.js:189:13)
03:11:38 at TLSSocket.onConnectSecure (_tls_wrap.js:1168:10)
03:11:38 at TLSSocket.emit (events.js:189:13)
03:11:38 at TLSSocket._finishInit (_tls_wrap.js:629:8)
03:11:38 ... |
f838013
to
62e0408
Compare
Ah, Windows CRLF... I do not love thee. |
linux failures: https://ci.nodejs.org/job/node-test-commit-linux/23842/ Look like exit code test failures, not related to TLS. re-ci: https://ci.nodejs.org/job/node-test-commit-linux/23845/ |
more aix & linux exit code and CLI syntax failures, retry: https://ci.nodejs.org/job/node-test-commit/24172/ |
The only failures were test-cli-syntax.js, which is flaky. I'm re-running ci, but I think this is landable. |
Landed in 83ec33b...2e4a163 |
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Notable changes: * **test**: * test TLS client authentication (Sam Roberts) [#24733](#24733) * **tls**: * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts) [#24733](#24733) * **tools**: * update ESLint to 5.10.0 (cjihrig) [#24903](#24903) * **util**: * add inspection getter option (Ruben Bridgewater) [#24852](#24852) PR-URL: #25102
Notable changes: * **test**: * test TLS client authentication (Sam Roberts) [#24733](#24733) * **tls**: * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts) [#24733](#24733) * **tools**: * update ESLint to 5.10.0 (cjihrig) [#24903](#24903) * **util**: * add inspection getter option (Ruben Bridgewater) [#24852](#24852) PR-URL: #25102
TLS client authentication should be tested, including failure scenarios. PR-URL: nodejs#24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Support the same PEM certificate formats for the ca: option to tls.createSecureContext() that are supported by openssl when loading a CAfile. Fixes: nodejs#24761 PR-URL: nodejs#24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Notable changes: * **tls**: * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts) [nodejs#24733](nodejs#24733) * **util**: * add inspection getter option (Ruben Bridgewater) [nodejs#24852](nodejs#24852) PR-URL: nodejs#25102
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Support the same PEM certificate formats for the ca: option to tls.createSecureContext() that are supported by openssl when loading a CAfile. Fixes: nodejs#24761 PR-URL: nodejs#24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
TLS client authentication should be tested, including failure scenarios.
There were tests for a couple success scenarios as side-effects of testing other things, but little coverage for the various ways intermediate and root CAs can be configured.
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes